R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 10, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- U.S. warns of possible al-Qaida financial cyberattack- The U.S. government warned American private financial services on Thursday of an al-Qaida call for a cyberattack against online stock trading and banking Web sites beginning on Friday, a source said. The source, a person familiar with the warning, said the Islamic militant group aimed to penetrate and destroy the databases of the U.S. financial sites. The Department of Homeland Security confirmed an alert had been distributed but said there was no reason to believe the threat was credible. http://news.com.com/2102-1028_3-6139878.html?tag=st.util.print

FYI - New Rules Make Firms Track E-Mails, IMs - U.S. companies will need to keep track of all the e-mails, instant messages and other electronic documents generated by their employees thanks to new federal rules that go into effect Friday, legal experts say. The rules, approved by the Supreme Court in April, require companies and other entities involved in federal litigation to produce "electronically stored information" as part of the discovery process, when evidence is shared by both sides before a trial. http://apnews.myway.com/article/20061201/D8LNRQB80.html

FYI - Federal Rules May Not Fully Secure Online Banking Sites - IT execs say banks and credit unions need more than strong authentication - Financial institutions that truly want to bolster their online security need to look beyond the federal guidelines on end-user authentication that go into effect Jan. 1, IT managers and analysts said last week. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=274881&taxonomyId=17&intsrc=kc_top

FYI - Banks face growing threat of identity theft from insiders - Banks are pouring money into building formidable defenses against computer hackers, but are only just waking up to what may be a bigger threat--the physical theft of client information by people in the office. http://news.com.com/2102-1029_3-6137940.html?tag=st.util.print

FYI - Community America Says At Least 12 Customers Affected - Several people who went online Friday to do some banking wound up victims of a scam, officials said. Community America Credit Union confirmed to KMBC that a hacker managed to redirect people from the company's Web site to a phony site. http://www.thekansascitychannel.com/news/10408223/detail.html

FYI - Phishing attacks now using phone calls - And consumers thought they were safe by not clicking on links in unsolicited e-mails. Now comes a new batch of phishing scams that rely on an old tool - the phone - to trick people into giving away their personal information. Vishing has emerged as a new threat with the rise of Voice over Internet Protocol, technology that allows cheap and anonymous Internet calls. http://www.usatoday.com/money/industries/technology/2006-11-26-phishing-usat_x.htm?csp=34

FYI - Linkin Park, national security mash-up - A woman is accused of using a computer at a national laboratory to hack into a cell phone company's Web site to get a number for Chester Bennington, lead singer of the rock group Linkin Park. http://www.mercurynews.com/mld/mercurynews/entertainment/16098934.htm


FYI - Met Police in laptop theft security flap - Three laptops, containing the payroll and pension details of more than 15,000 Met Police officers, have been nicked from the offices of LogicaCMG, the outsourcing firm that handles the payments. http://www.theregister.co.uk/2006/11/22/met_police_laptop_theft/print.html

FYI - Stolen laptop has science centre's membership list - Ontario Science Centre officials are urging its members to remain confident that their personal information is safe after a laptop was recently stolen from the popular city attraction. http://www.towncrieronline.ca/main/main.php?rootcatid=8&direction=printstory&storyid=5847&rootsubcatid=#rootsubcatid

FYI - Women alerted to ID theft risk - Stolen computers had health data - More than 7,500 Hoosier women are at risk of identity theft after two computers containing protected health information collected for the state were stolen earlier this month. http://www.courierpress.com/news/2006/nov/25/women-alerted-to-id-theft-risk/

Return to the top of the newsletter


Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications. 

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  


Hardening Systems

Many financial institutions use commercial off-the-shelf (COTS) software for operating systems and applications. COTS systems generally provide more functions than are required for the specific purposes for which it is employed. For example, a default installation of a server operating system may install mail, Web, and file-sharing services on a system whose sole function is a DNS server. Unnecessary software and services represent a potential security weakness. Their presence increases the potential number of discovered and undiscovered vulnerabilities present in the system. Additionally, system administrators may not install patches or monitor the unused software and services to the same degree as operational software and services. Protection against those risks begins when the systems are constructed and software installed through a process that is referred to as hardening a system.

When deploying off-the-shelf software, management should harden the resulting system. Hardening includes the following actions:

! Determining the purpose of the system and minimum software and hardware requirements;
! Documenting the minimum hardware, software and services to be included on the system;
! Installing the minimum hardware, software, and services necessary to meet the requirements using a documented installation procedure;
! Installing necessary patches;
! Installing the most secure and up-to-date versions of applications;
! Configuring privilege and access controls by first denying all, then granting back the minimum necessary to each user;
! Configuring security settings as appropriate, enabling allowed activity, and disallowing other activity;
! Enabling logging;
! Creating cryptographic hashes of key files;
! Archiving the configuration and checksums in secure storage prior to system deployment;
! Testing the system to ensure a secure configuration;
! Using secure replication procedures for additional, identically configured systems, making configuration changes on a case-by-case basis;
! Changing all default passwords; and
! Testing the resulting systems.

After deployment, the COTS systems may need updating with current security patches. Additionally, the systems should be periodically audited to ensure that the software present on the systems is authorized and properly configured.

Return to the top of the newsletter



4. Determine if access to sensitive information and processes require appropriate authentication and verification of authorized use before access is granted.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

30. Does the institution allow the consumer to opt out at any time? [7(f)]

31. Does the institution continue to honor the consumer's opt out direction until revoked by the consumer in writing, or, if the consumer agrees, electronically?

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated